How to capture a FTP session password with tcpdump.

Posted: July 17, 2017. At: 1:02 PM. This was 5 months ago. Post ID: 10942
Page permalink.
WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters. These cookies expire two weeks after they are set.

How to capture packets from a network with tcpdump and get an FTP login password.

I used this tcpdump command line to capture packets traveling over my network, this was intended to capture an FTP login. I am using an Anonymous login as a example, but there is still a password involved. This way, I can capture an FTP login easily, if I know someone on the network is doing FTP tasks.

localhost /home/jason # tcpdump -A port ftp -i wlp2s0 > dump.out

Now I can get the FTP password from the capture file.

localhost /home/jason # cat dump.out | grep PASS
01:59:57.344755 IP 10.1.1.219.36564 > ftp6.gwdg.de.ftp: Flags [P.], seq 17:43, ack 199, win 237, options [nop,nop,TS val 2057831 ecr 1933241270], length 26: FTP: PASS mozilla@example.com
..fgs:..PASS mozilla@example.com

That is how I managed to capture packets from a FTP session without needing Wireshark installed.

To get information about hosts on a network, use the netdiscover command as root.

┌─[][root@parrot][/home/user]
└──╼ # netdiscover -r 10.1.1.0/24

This is the output that you should get, this shows the IP and MAC addresses of all network nodes.

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                             
 
 9 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 540                                                                           
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.1.1.1        e0:b9:e5:b8:31:ba      7     420  Technicolor                                                                             
 10.1.1.40       00:13:46:3a:02:83      1      60  D-Link Corporation                                                                      
 10.1.1.184      f0:25:b7:fa:01:4a      1      60  Unknown vendor

Another way to scan for live hosts on a LAN is with Nmap. This example will return only live hosts on the network.

┌─[root@parrot][/home/user]
└──╼ # nmap -sP -PA21,22,25,3389 10.1.1.0/24 #21 is used by ftp
 
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-17 12:57 UTC
Nmap scan report for dsldevice.lan (10.1.1.1)
Host is up (0.00054s latency).
MAC Address: E0:B9:E5:B8:31:BA (Technicolor)
Nmap scan report for BLUFOR.lan (10.1.1.40)
Host is up (-0.088s latency).
MAC Address: 00:13:46:3A:02:83 (D-Link)
Nmap scan report for 10.1.1.184
Host is up (-0.091s latency).
MAC Address: F0:25:B7:FA:01:4A (Samsung Electro-mechanics(thailand))
Nmap scan report for parrot.lan (10.1.1.7)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 19.41 seconds

No comments have been made. Use this form to start the conversation :)

Leave a Reply